It can feel impossible to create and remember unique passwords for the hundreds of accounts and apps that the majority of us have: Netflix, Facebook, Uber, Twitter, Tidal, Target, Amazon, CVS, LinkedIn, and Mint Mobil.
In addition, we have a credit card and a bank account. Plus all the accounts we had forgotten about. Many of us simply use the same password for all of our accounts. Something straightforward. Something simple to remember. It’s simple to figure out.
I’ve started saving my passwords in Google Password Manager in recent years. It offered to assist, so I accepted. I’m lazy and unconcerned about security breaches because my bank account balance rarely exceeds a few hundred dollars.
The thought of someone gaining access to my Marvel Contest of Champions account isn’t too frightening. But am I really safe? I asked two security experts whether you should let your browser save your passwords or invest in password storage services like LastPass or 1Password.
“Everyday people need not be so concerned with low value accounts” such as music apps, video apps, video games and individual stores, said Brett M. Frischmann, a professor of law at Villanova University and an affiliate scholar of the Center for Internet and Society at Stanford Law School.
“If something goes wrong, you just abandon the accounts, create a new username and password, and as long as you don’t reuse the same password across all of your accounts, it doesn’t put other things at risk,” he said.
What Frischmann believes you should be concerned about are the accounts that contain money, such as “your 401(k) or your employer’s or your bank’s financial stuff,” he says. “There are certain high-value accounts that, if hacked, would jeopardise my livelihood or my assets.”
In those cases, he suggests conducting a quick Google search to ensure that the browser password service you use hasn’t recently been compromised.
He compared password managers to lockboxes, in which each individual password is stored in its own lockbox that hackers would struggle to open.
These businesses have “spent a significant amount of time researching ‘What are the bad guys doing? ‘What can we do to protect ourselves?’ They are working hard to integrate the password filling experience with their browser. It’s just one less tool to master.”
According to Shostack, the advantage of paid password services like 1Password is that you can securely jump between computers that you don’t use very often, whereas password managers within browsers are best when you primarily use personal computers and phones.
However, for the average person, using the internet password manager that comes with your browser is the best option.
“Over the last decade or two, the threats have morphed,” Shostack said. Hackers used to hack into a computer system, take a list of passwords, and then run a program to speed guess which passwords fit where.
“Now, the problem is phishing attacks. It’s password leaks by sites that haven’t done a good job of protecting them.”
The solution to not being phished is to avoid opening suspicious emails, and the solution to not being hacked is to use a unique password, especially for your master password on accounts.
Frischmann said, “There’s common nonsense about password security among laypeople. There’s a difference between what experts agree on, what are best practices, and what laypeople believe… The tools you interact with sometimes teach you the wrong lessons.”
To create a unique password, make it long and difficult. Toss numbers at random between the letters. There are vomit symbols all over the place.
Fortunately, password managers make this simple by suggesting passwords for you. Just make sure your master password is exceptionally perplexing. “J65B#k4f#4Td3ULWD#$,” for example.
It is very critical that you save your master password to your browser or a password service rather than emailing it to yourself. Also, don’t save a password list in a Word document.
“The attackers will search for that stuff. And they will find it pretty quickly… They know that people will store passwords next to the word secret or my special words or passwords or passwords spelt with a Z,” Shostack said.
Instead, write it down on a piece of paper and hide it in a drawer where no one will see it.